Environment
- EDR: All Supported Versions
- Linux: All Supported Versions
Objective
How to Collect Diagnostics for Linux Sensor Connection and Communication Issues:
- Sensor fails to register
- Sensor does not show in the console
- Sensor no longer connects
Resolution
- Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):
sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap
- If tcpdump tool is not available in RedHat based Linux:
yum install tcpdump
- Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):
sudo kill -n 10 $(pidof cbdaemon)
- Stop the tcpdump capture (ctrl+c) and collect the packet capture
- Initiate a Linux Sensor Diagnostic Data by issuing this command:
sudo /opt/carbonblack/response/bin/sensordiag.sh
- Upload the Tcpdump capture and Sensor diagnostics to CBVault
- Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Hosted EDR Customers)
/usr/share/cb/cbdiag --post
- Provide the following information to the case and let the support engineer know the logs have been uploaded:
1) Is this a newly installed sensor?
2) Are the kernel headers installed if the kernel version is 4.4+?
3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
4) What is the IP address of the Sensor and Server?
Additional Notes
Related Content